cube-js/cube

Automatically retrieve Redshift cluster credentials

Open

#306 opened on Dec 21, 2019

View on GitHub
 (3 comments) (0 reactions) (0 assignees)Rust (19,563 stars) (1,965 forks)batch import
driver:redshifthelp wanted

Description

Is your feature request related to a problem? Please describe. The AWS Redshift SDK allows retrieving credentials via an API:

import Redshift, { ClusterCredentials } from 'aws-sdk/clients/redshift';

const getCredentials = async () => {
  const creds = await redshift.getClusterCredentials({
    ClusterIdentifier: process.env.CUBEJS_DB_HOST,
    DbUser: process.env.CUBEJS_DB_USER,
  }).promise();

  if (!creds.DbUser && !creds.DbPassword) {
    throw new Error('Unable to retrieve Redshift credentials');
  }

  return creds as Required<ClusterCredentials>;
};

getCredentials()
  .then((credentials) => {
    const config = {
      database : process.env.CUBEJS_DB_NAME,
      host: process.env.CUBEJS_DB_HOST,
      password : creds.DbPassword,
      port: process.env.CUBEJS_DB_PORT,
      user: creds.DbUser,
    };
  })

Describe the solution you'd like

It would be great if CubeJS would automatically attempt to do the above if the CUBEJS_DB_PASS environment variable is omitted for Redshift projects.

Additional context A Serverless project using Redshift would require additional permissions to the IAM role:

iamRoleStatements:
    - Effect: 'Allow'
      Action:
        - 'redshift:GetClusterCredentials'
      Resource:
        - '<REDSHIFT_CLUSTER_ARN>/<REDSHIFT_USER>'

Contributor guide

Tech stack
typescriptnodejsaws
Domain
backenddatabase
Issue type
feature
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
mostly clear
Prerequisites
AWS account with Redshift clusterFamiliarity with CubeJS configurationUnderstanding of AWS SDK
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
45
Research direction
The issue requests automatic credential retrieval for Redshift using the AWS SDK. The developer should examine the CubeJS driver for Redshift (likely in packages/cubejs redshift driver) to find where database credentials are used. Then implement a fallback to call getClusterCredentials if CUBEJS DB PASS is missing. Consider adding IAM role permissions documentation. No existing PRs or maintainer comments indicate a preferred approach.